b"Audit Report\nCOMPUTER SECURITY AT THE\nDRUG ENFORCEMENT ADMINISTRATION\nAudit Report 97-14, (3/97)\nTABLE OF CONTENTS\nEXECUTIVE SUMMARY\nFINDINGS AND\nRECOMMENDATIONS\nI. SYSTEM SOFTWARE CONTROLS\nDefault Settings\nAudit Trails\nII. COMPUTER SECURITY\nMANAGEMENT\nPersonnel Security\nControls\nIndividual Access\nControls\nAdministrative\nSecurity Controls\nRisk Management\nPhysical and\nEnvironmental Security Controls\nIII. SECURITY\nSOFTWARE\nSTATEMENT ON INTERNAL\nCONTROLS\nSTATEMENT ON COMPLIANCE\nWITH LAWS AND REGULATIONS\nAPPENDIX I - Objectives, Scope\nand Methodology, and Background\nAPPENDIX II - Locations\nReviewed\nAPPENDIX III - DEA Comments\non the Audit Recommendations\nAPPENDIX IV - Office of the\nInspector General, Audit Division Analysis and Summary of Actions\nTaken to Close Report\nEXECUTIVE SUMMARY\nComputer security was reported by the Attorney General to the\nPresident in 1995 as a high risk area for six Department of\nJustice components, including the Drug Enforcement Administration\n(DEA). We found computer security continues to be a high risk at\nthe DEA, as we found in 1989 and the General Accounting Office\nfound in 1992. Our current audit found that:\n\xc2\x95 Computer default settings and audit trails were not\nimplemented effectively to protect DEA's sensitive computer\nresources and to detect unauthorized access.\n\xc2\x95 Computer security management was inadequate\nbecause: (1) personnel were not properly cleared, authorized,\nand trained for access to sensitive computer resources; (2)\ncomputer equipment was not properly controlled and\nsafeguarded; (3) risk analyses and contingency plans were not\nalways performed and tested; and (4) visitor access and lock\ncombination change procedures were inadequate to restrict\naccess to sensitive resources.\n\xc2\x95 Computer security software was not fully utilized\nto detect and investigate unauthorized access to DEA's\nsensitive data base applications processed at the Justice\nData Center.\nCollectively, these weaknesses substantially increase the\nrisks of unauthorized disclosure of sensitive information. These\nmatters are discussed in the findings and recommendations section\nof the report. Our objectives, scope and methodology, and\nbackground information are contained in Appendix I of the report.\n#####"